If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Making Programs do what they're supposed to do.

You know what I’m fed up with… people making “security” related discoveries that aren’t really discoveries… they’re just common sense….

There are two guilty parties here that I’m extremely unhappy with: David Kierznowski and pdp. David actually made the news for his Backdooring PDFs blog…. pdp has had several Backdooring .Mov, Backdooring Flash, and Backdooring MP3s..

Let’s take a look at each of these..

* PDF - Portable Document Format - A Document that is entirely self-contained and cross platform… These documents have to, essentially, be “compiled” from other documents… sort of like an executable being compiled from source code. It would make sense that they support their own programming language, which in this case happens to be a javascript variant. This isn’t a software flaw, it’s functional software being utilized completely for malicious reasons.
* MOV - Movile Files - These files quite commonly open a link to the artists page or the movies page… They have the ability to open a link and that’s exactly what they are doing.
* Flash - This was one I really enjoyed reading… How Flash could have a trojan or virus contained in it… and then he demonstrates a javascript alert… Again… the program opening a page exactly like it was written to do.
* MP3 - MPEG-1 Audio Layer 3 - This was my favourite one… this isn’t actually MP3s… it’s playlist files that can be named mp3.. So a whole lot of FUD over nothing. If an MP3 is 100 bytes and advertises itself as a full song… obviously it isn’t.. Again though, it’s a playlist file functioning as it is supposed to.

Everyone of these blog posts by both of them is nothing more than FUD generation. The fact that they invested so much time into these “vulnerabilities’ tells me something about the…. something I think everyone can come to on their own without me mentioning it.

Then there’s the issue of calling these backdoors… Do they know what a backdoor is… by definition this is not a backdoor

A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.

These people really make me wonder… why not a new one on how to backdoor an exe by writing the source code and compiling it. These all rely on the fact that your browser allows javascript to execute (except perhaps the PDF one because Acrobat includes it’s own version of javascript)… These should be called “Covert ways to enter a javascript statement into a browser”… They aren’t vulnerabilities and they are not backdoors… They are legitimate uses of the software. Another interesting note is that each time they refered to a file format… However the PDF “backdoor” requires Acrobat… it doesn’t work on other PDF Readers… the MP3 “backdoor” requires Quicktime and the browser plugin (since it’s the browser that actually executes the javascript) and like I mentioned it’s not actually MP3s but renamed playlist files. The MOV one is another example that requires Quicktime and more specifically the quicktime plugin…

Perhaps the message should be — Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust… but to suggest an inherent flaw in either a file format or a type of software because it’s doing what it’s supposed to do…

Consider this my security advisory — Programs do what they are coded to do… and you may not be aware of all their functionality.

Peace,
HT

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

discoveries that aren’t really discoveries… they’re just common sense….

In my opinion, security practices such as those aren't ones that people should document or write about. That's like saying, let me write a book telling people don't walk into oncoming traffic, IMO. If you need to be told that, theres probably something wrong with you..

Good article and good read all the same, HTRegz. Ya just hate seeing people do/say some rather bone-headed things sometimes.

EDIT: As for the programs doing this that the other, "Programs do what they are coded to do" ends that story. Thank you. =]

True, they are doing what they are designed to do, but that
doesn't mean that there is no security concern here. I had a
1949 chevy pickup truck that would start without a key.It was designed that way! You could insert the key,
turn it one notch and remove the key. After that it would
start withiut the key because it was unlocked A
convenience feature no doubt. they don't design them that
way any more because security requirements have changed.

A wma file is capable of doing automatic license aquisition,
but can be exploited to download whatever the creator wants.
I suspect the mov files can be exploited too. Yeah, they are
designed that way, but it isn't necessarily a good idea.

Originally posted here by rcgreen
True, they are doing what they are designed to do, but that
doesn't mean that there is no security concern here. I had a
1949 chevy pickup truck that would start without a key.It was designed that way! You could insert the key,
turn it one notch and remove the key. After that it would
start withiut the key because it was unlocked A
convenience feature no doubt. they don't design them that
way any more because security requirements have changed.

That was a feature... You could turn it back to the locked position at any point... and you again needed the key. Whether or not you decided to leave it locked/unlocked was your choice... I know people that still leave their cars unlocked.... Those are options that are available to you... the choice is yours to make... Cars are still designed with doors that you can leave unlocked... It's your choice to engage the security..

If you want to use cars as the example.. I have friends that go out on a cold morning, start the car and then lock the doors to leave it running for a few minutes.. then they take the seperate door key and open the door when they are ready to leave... Now you have a single key that provides access to everything (That's weaker security in my opinion) and you have cars with doors that you can't lock when there's a key in the ignition... Which forces people who want to start their car early to leave their cars unlocked (a step backwards in security)..

In the end though we're talking not about a "feature" but program functionality... comparing it to cars would be much simplier... "Acrobat can execute JavaScript".... "Your Car can Start".. perhaps if you wanted to prevent someone from executing javascript you'd disable that option... or if you wanted someone to not steal your car you'd disconnect the battery cable... You don't disconnect your battery cable because it's less convenient for you... It's acceptable risk... Allowing JavaScript to run is the same thing.... You don't run around saying "Oh my god... if you don't disconnect your battery a malicious person could still start your car"... which is essentially what these people are saying.

A wma file is capable of doing automatic license aquisition,
but can be exploited to download whatever the creator wants.
I suspect the mov files can be exploited too. Yeah, they are
designed that way, but it isn't necessarily a good idea.

I'm assuming you're talking about the stuff that Ed Botts published a year and some ago.. I see a difference here and I see you doing the same thing these guys are doing.. The flaw exists in WMP not the wma files... Yes the files have the corrupt content, the invalid license links... but it's the way WMP deals with this that is the problem... .Which is the first problem I had with the guys above... giving incorrect information... relating it to filetypes instead of specific versions of software. WMP10 also provided out of the box protection via user prompts for this.. This is different... it's javascript.... Javascript is not the most deadly thing in the world... Usually the dangerous XSS is one that's inline on a site... Say XSS embeded in AO that would give someone your AO cookie... using javascript independently of a page isn't going to lead to cookie theft... Also with the wma issue... WMP was actually downloading the files.... (because of how closely it ties with IE)... with the issues these guys are publishing it opens a seperate program with a url.... a valid url... something that people want their software to be able to open... The fact that javascript is run is not related to the software (except in the Adobe case) but related to the browsers ability to run it...

Calling these vulnerabilities is wrong... These files are performing a function... could that function present a minimal security risk... yes... Does it need and advisory and is it a vulnerability no... are you exploiting anything... no... You are partaking in a type of social engineering... that is all.... The software is doing what it was designed to do... you are simply taking advantage of a person to make them use the file you provide.

Peace,
HT

IT Blog: .:Computer Defense:.PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".